EJ05/23/2023, 8:57 PM
rp05/24/2023, 4:28 AM
function. - Once on client.com/callback page, you should extract the access token from the query param, and send it to the backend of client.com. Let's call this backend api.client.com - api.client.com then verifies the access token using any jwt verification lib (querying the jwks endpoint from the auth.com's backend). - post access token verification, client.com can create its own session to keep the user logged into that site. Note that this approach will only work if all the client.com sites are controlled by you. Once we have oauth 2.0 features, you can easily replace this with the standard Auth code grant flow via PKCE / client secret.